12 Connectivity rule example A stack's connectivity rule applies a requirement map to a pair of data endpoints. The IPv4 addresses in a packet are compared with the IPv4 addresses of the data endpoints of the connectivity rules in the order that those rules appear in the table. When the IPv4 addresses match, the packet is compared with that connectivity rule's traffic descriptors in the order they appear in the requirement map; when a match is found, the corresponding security level is applied. For IPSec, each requirement map ends with an implicit rule to deny all traffic. For AT-TLS, if a packet matches no rule, it is allowed to flow with no AT-TLS protection. 12

13 Requirement map example A requirement map is a collection of traffic descriptors ƒ You might define a requirement map named BranchOffice that provides a high level of protection for TN3270 and Web traffic but disallows (denies) all other traffic. ƒ You might define another requirement map named BusinessPartner that provides a high level of protection for Web traffic but disallows all other traffic. ƒ Then you could associate BranchOffice with the addresses of your branch offices in some connectivity rules. ƒ And associate BusinessPartner with the IPv4 addresses of your business partners in other connectivity rules. 13

14 Traffic descriptor example The IP Security configuration assistant comes with many traffic types already defined ƒ They can be used as-is ƒ Or they can be modified to better match your local needs This is an example of FTP server traffic ƒ You may want to change the port range for passive data connections based on your local FTP server's PASSIVEDATAPORT value In this example, we use the range from 50,000 to 50,200 14

17 Example policy agent configuration file for IP security and AT-TLS Locate or create a new Policy Agent configuration file that identifies the target stack by jobname and the location of its image file. ƒ The image file indicates the location of the policy configuration file. For example, if the stack jobname is TCPCS, then the Policy Agent configuration file /etc/pagent.conf contains the following statement: ƒ TcpImage TCPCS /etc/tcpcs1.image And /etc/tcpcs.image contains the following statement: ƒ IpSecConfig /etc/tcpcs.policy And start Policy Agent: ƒ pagent -c /etc/pagent.conf 17

19 AT-TLS example for TN3270 and CICS Start making a requirement map ƒ Copy the AT-TLS_Sample as a starting pint 19

20 AT-TLS security level details The keyring may either be in an HFS file (managed by GSKKYMAN) or in RACF The keyring location can be specified at a z/os image level or on a traffic descriptor that describes a specific application SSL/TLS protocol levels and ciphers can be chosen in the security level settings Support for checking with a Certificate Revocation List server (or multiple) is also supported 20

21 AT-TLS keyring specification in a traffic descriptor 21

22 AT-TLS gold and platinum service levels 22

23 Trademarks, Copyrights, and Disclaimers The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: IBM CICS IMS MQSeries Tivoli IBM(logo) Cloudscape Informix OS/390 WebSphere e(logo)business DB2 iseries OS/400 xseries AIX DB2 Universal Database Lotus pseries zseries Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, ActionMedia, LANDesk, MMX, Pentium and ProShare are trademarks of Intel Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds. Other company, product and service names may be trademarks or service marks of others. Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. This document could include technical inaccuracies or typographical errors. IBM may make improvements and/or changes in the product(s) and/or program(s) described herein at any time without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Any reference to an IBM Program Product in this document is not intended to state or imply that only that program product may be used. Any functionally equivalent program, that does not infringe IBM's intellectual property rights, may be used instead. Information is provided "AS IS" without warranty of any kind. THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IBM shall have no responsibility to update this information. IBM products are warranted, if at all, according to the terms and conditions of the agreements (e.g., IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. IBM makes no representations or warranties, express or implied, regarding non-ibm products and services. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents or copyrights. Inquiries regarding patent or copyright licenses should be made, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY U.S.A. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here. Copyright International Business Machines Corporation All rights reserved. Note to U.S. Government Users - Documentation related to restricted rights-use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract and IBM Corp. 23

IBM Tivoli Identity Manager Version 5.0.1 First Edition (December 7, 2007) This edition applies to version 5.0 of Tivoli Identity Manager and to all subsequent releases and modifications until otherwise

The Consolidation Process an overview Washington System Center IBM US Gaithersburg SIG User Group April 2009 Trademarks The following are trademarks of the International Business Machines Corporation in

Tivoli Endpoint Manager for Security and Compliance Analytics Setup Guide Setup Guide i Note: Before using this information and the product it supports, read the information in Notices. Copyright IBM Corporation

SW5706 JVM Tools This presentation will act as an introduction to. 4.0 Page 1 of 15 for tuning and problem detection After completing this topic, you should be able to: Describe the main tools used for

Positioning the Roadmap for POWER5 iseries and pseries Guy Paradise Larry Amy Ian Jarman Agenda The Case For Common Platforms Diverse Markets: the pseries and iseries Common Platform: the Roadmap for pseries

IBM VisualAge for Java,Version3.5 Remote Access to Tool API Note! Before using this information and the product it supports, be sure to read the general information under Notices. Edition notice This edition

Tivoli Endpoint Manager for Security and Compliance Analytics User s Guide User s Guide i Note: Before using this information and the product it supports, read the information in Notices. Copyright IBM

IBM Software Group Rational Developer for IBM i (RDi) Introduction to RDi Featuring: Creating a connection, setting up the library list, working with objects using Remote Systems Explorer. Last Update:

New!! - Higher performance for Windows and UNIX environments The IBM TotalStorage Network Attached Storage Gateway 300 (NAS Gateway 300) is designed to act as a gateway between a storage area network (SAN)

Platform LSF Version 9 Release 1.2 Migrating on Windows SC27-5317-02 Platform LSF Version 9 Release 1.2 Migrating on Windows SC27-5317-02 Note Before using this information and the product it supports,

Version 8.2 Tivoli Endpoint Manager for Asset Discovery User's Guide Version 8.2 Tivoli Endpoint Manager for Asset Discovery User's Guide Note Before using this information and the product it supports,

IBM Security QRadar Version 7.1.0 (MR1) Technical Note Note: Before using this information and the product that it supports, read the information in Notices and Trademarks on page 5 Copyright IBM Corp.

Tivoli Endpoint Manager for Configuration Management User s Guide User s Guide i Note: Before using this information and the product it supports, read the information in Notices. Copyright IBM Corporation

Platform LSF Version 9 Release 1.1 Installing on Windows SC27-5316-01 Platform LSF Version 9 Release 1.1 Installing on Windows SC27-5316-01 Note Before using this information and the product it supports,

IBM Security IBM Security SiteProtector System Configuring Firewalls for SiteProtector Traffic Version 3.0 Note Before using this information and the product it supports, read the information in Notices

IBM TRIRIGA Anywhere Version 10 Release 4 Installing a development environment Note Before using this information and the product it supports, read the information in Notices on page 9. This edition applies

Continuing the understanding of IBM Copy Services: Peer-to-Peer-Remote-Copy (PPRC) and Point in Time Copy (FlashCopy) for High Availability (HA) and Disaster Recovery (DR) Lisa Gundy IBM Corporation lisat@us.ibm.com

Agenda Key: Session Number: System i Access for Windows: Data Transfer Tips and Techniques 8 Copyright IBM Corporation, 2008. All Rights Reserved. This publication may refer to products that are not currently

IBM Security QRadar Version 7.1.0 (MR1) Checking the Integrity of Event and Flow Logs Technical Note Note: Before using this information and the product that it supports, read the information in Notices

IBM Security QRadar Version 7.2.2 Packet Capture Users Guide SC27-6512-00 Note Before using this information and the product that it supports, read the information in Notices on page 9. Copyright IBM Corporation

Linux Utilities for IBM System z Installing and using the webscurity webapp.secure client SC33-8322-00 Linux Utilities for IBM System z Installing and using the webscurity webapp.secure client SC33-8322-00

Redbooks Paper Victor Chao Leticia Cruz Nin Lei Local versus Remote Database Access: A Performance Test When tuning a database for better performance, one area to examine is the proximity of the database

IBM Cognos Controller Version 10.2.1 New Features Guide Note Before using this information and the product it supports, read the information in Notices on page 3. Product Information This document applies

SAP Business One Budget Control by Cost Center Ecosystem & Channels Readiness July 2011 Allows a precise follow up of costs booked using the cost accounting dimensions functionality as introduced in SAP

OS Deployment V2.0 User s Guide User s Guide i Note: Before using this information and the product it supports, read the information in Notices. Copyright IBM Corporation 2003, 2011. US Government Users

Third Party Digital Asset Management Integration Objectives At the end of this unit, you will be able to: Assign Digital Assets to CRM Objects Work with the Where-Used List Describe the necessary customizing

IBM Enterprise Marketing Management Domain Name Options for Email Note Before using this information and the product it supports, read the information in Notices on page 3. This document applies to all

IBM TRIRIGA Version 10 Release 4.2 Inventory Management User Guide IBM Note Before using this information and the product it supports, read the information in Notices on page 19. This edition applies to

RLP Citrix Setup Guide M Version 2.1 Trademarks IBM is a registered trademark of International Business Machines Corporation. The following are trademarks of International Business Machines Corporation

How to Deliver Measurable Business Value with the Enterprise CMDB James Moore jdmoore@us.ibm.com Product Manager, Business Service, Netcool/Impact 2010 IBM Corporation Agenda What is a CMDB? What are CMDB

Secure MobiLink Synchronization using Microsoft IIS and the MobiLink Redirector A whitepaper from ianywhere Author: Joshua Savill, Product Manager This whitepaper was written in the context of SQL Anywhere

The Tivoli Storage Manager API Sample Program Setup and Use By Ron McCracken Version 1.0 Copyright Notice Copyright IBM Corporation 2008. All rights reserved. May only be used pursuant to a Tivoli Systems

IBM Security IBM Security SiteProtector System Migration Utility Guide Version 3.0 Note Before using this information and the product it supports, read the information in Notices on page 5. This edition

IBM Security IBM Security SiteProtector System Two-Factor Authentication API Guide Version 2.9 Note Before using this information and the product it supports, read the information in Notices on page 13.

Integrated and reliable the heart of your iseries system i5/os the next generation iseries operating system Highlights Enables the legendary levels of reliability and simplicity for which iseries systems

IBM Security QRadar Version 7.2.0 Common Ports Guide Note: Before using this information and the product that it supports, read the information in Notices and Trademarks on page 11. Copyright IBM Corp.

SAP Service Tools for Performance Analysis Kerstin Knebusch Active Global Support Month 05, 2013 Public Performance Analysis Wait event based Focus on statements causing high load and / or high wait time

RUN BETTER Become a Best-Run Business with Remote Support Platform for SAP Business One September 2013 Customer External Become a Best-Run Business with Remote Support Platform for SAP Business One Run